Hi, I configured Wireguard on Router OS 7.2rc3. I have access to almost all devices.
Devices that are reachable: 192.168.162.1 (RouterOS), 192.168.162.2 (OpenWrt), 192.168.162.11 (Raspberry pihole Docker MACVLAN), (192.168.162.150-165, all my ESP8266 devices).
Devices unreachable, 192.168.162.3 (Huawei router panel), 192.168.162.10 (Raspberry Pi with Proxy Management on ports 80, 443 and many docker containers)
My RouterOS config:
[admin@MikroTik] > /ip address print
Flags: X, D - DYNAMIC
Columns: ADDRESS, NETWORK, INTERFACE
# ADDRESS NETWORK INTERFACE
0 192.168.162.1/24 192.168.162.0 ether2
1 X 192.168.8.2/24 192.168.8.0 ether1(WAN)
2 D PUBLICIP/16 178.182.0.0 ether1(WAN)
3 172.22.0.1/24 172.22.0.0 wireguard1
[admin@MikroTik] > /interface/wireguard print
Flags: X - disabled; R - running
0 R name="wireguard1" mtu=1420 listen-port=13231
private-key="PRIVATEKEY"
public-key="XlfKfY+YeXeUBGDLrYyu+AAJoy748AtvGRfqiNEKICk="
[admin@MikroTik] > /interface/wireguard/peers print
Columns: INTERFACE, PUBLIC-KEY, ENDPOINT-PORT, ALLOWED-ADDRESS
# INTERFACE PUBLIC-KEY E ALLOWED-ADDRESS
0 wireguard1 WemPD94m9JFAS8yDXYPoWLpdISt5p8gGvW7XojzOm20= 0 172.22.0.2/32
[admin@MikroTik] > /ip firewall filter print
Flags: X - disabled, I - invalid; D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
1 ;;; defconf: accept established,related,untracked
chain=input action=accept connection-state=established,related,untracked
2 chain=forward action=accept src-address=192.168.162.0/24 dst-address=172.22.0.0/24
3 chain=forward action=accept src-address=172.22.0.0/24 dst-address=192.168.162.0/24
4 ;;; defconf: drop invalid
chain=input action=drop connection-state=invalid log=no log-prefix=""
5 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp
6 ;;; defconf: accept to local loopback (for CAPsMAN)
chain=input action=accept dst-address=127.0.0.1
7 X ;;; defconf: drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN log=no log-prefix=""
8 ;;; defconf: accept in ipsec policy
chain=forward action=accept ipsec-policy=in,ipsec
9 ;;; defconf: accept out ipsec policy
chain=forward action=accept ipsec-policy=out,ipsec
10 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection hw-offload=yes connection-state=established,related
11 ;;; defconf: accept established,related, untracked
chain=forward action=accept connection-state=established,related,untracked
12 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid log=yes log-prefix="invalid"
13 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN log=no log-prefix=""
14 ;;; default configuration
chain=input action=accept connection-state=established,related
15 chain=input action=accept src-address-list=allowed_to_router
16 chain=input action=accept protocol=icmp
17 X chain=input action=drop log=no log-prefix=""
18 ;;; Established, Related
chain=forward action=accept connection-state=established,related
19 ;;; jump to ICMP filters
chain=forward action=jump jump-target=icmp protocol=icmp
20 X ;;; Drop incoming from internet which is not public IP
chain=forward action=drop src-address-list=not_in_internet in-interface=ether1(WAN) log=yes log-prefix="!public"
21 ;;; echo reply
chain=icmp action=accept protocol=icmp icmp-options=0:0
22 ;;; net unreachable
chain=icmp action=accept protocol=icmp icmp-options=3:0
23 ;;; host unreachable
chain=icmp action=accept protocol=icmp icmp-options=3:1
24 ;;; host unreachable fragmentation required
chain=icmp action=accept protocol=icmp icmp-options=3:4
25 ;;; allow echo request
chain=icmp action=accept protocol=icmp icmp-options=8:0
26 ;;; allow time exceed
chain=icmp action=accept protocol=icmp icmp-options=11:0
27 ;;; allow parameter bad
chain=icmp action=accept protocol=icmp icmp-options=12:0
28 ;;; deny all other types
chain=icmp action=drop log=no log-prefix=""
[admin@MikroTik] > /ip firewall nat print
Flags: X - disabled, I - invalid; D - dynamic
0 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface-list=WAN log=no log-prefix="" ipsec-policy=out,none
1 ;;; Pi Server
chain=dstnat action=dst-nat to-addresses=192.168.162.10 protocol=tcp dst-address=PUBLICIP dst-port=80,443 log=no log-prefix=""
2 ;;; SSH Raspberry Pi
chain=dstnat action=dst-nat to-addresses=192.168.162.10 to-ports=22 protocol=tcp dst-address=PUBLICIP dst-port=16222 log=no
log-prefix=""
3 ;;; NAT Loopback
chain=srcnat action=masquerade protocol=tcp src-address=192.168.162.0/24 dst-address=192.168.162.10 out-interface=bridge1 log=no log-prefix=""
4 ;;; Supla App Pi Docker
chain=dstnat action=dst-nat to-addresses=192.168.162.10 protocol=tcp dst-address=PUBLICIP dst-port=2015,2016 log=no log-prefix=""
5 ;;; Moonlight Internet Stream
chain=dstnat action=dst-nat to-addresses=192.168.162.100 protocol=tcp dst-address=PUBLICIP dst-port=47984,47989,48010 log=no
log-prefix=""
6 ;;; Moonlight Internet Stream
chain=dstnat action=dst-nat to-addresses=192.168.162.100 protocol=udp dst-address=PUBLICIP dst-port=47998,47999,48000,48002,48010
log=no log-prefix=""
CLIENT WINDOWS CONFIG
[Interface]
PrivateKey = PRIVATEKEY
Address = 172.22.0.2/32
DNS = 172.22.0.1
[Peer]
PublicKey = XlfKfY+YeXeUBGDLrYyu+AAJoy748AtvGRfqiNEKICk=
AllowedIPs = 192.168.162.0/24, 172.22.0.0/24
Endpoint = PUBLICIP:13231
PersistentKeepalive = 10